Atlassian Bamboo Server and Data Center SQL Injection Vulnerability (CVE-2024-1597)

Posted by Author Diksha Ojha on Posted on

Atlassian released its Monthly Security Bulletin for March, which addressed 24 high-severity vulnerabilities and one critical-severity vulnerability (CVE-2024-1597).

CVE-2024-1597 is a SQL injection vulnerability in the Atlassian Bamboo Server and Data Center. The vulnerability has been given a critical severity rating with a CVSS score of 10. Successful exploitation of the vulnerability may allow an unauthenticated attacker to execute arbitrary SQL queries on a vulnerable system, allowing an attacker to dump critical data or execute arbitrary code.

Atlassian Bamboo Server is a continuous integration (CI) and continuous deployment (CD) tool that automates the release management of software applications.

Atlassian Bamboo Data Center is a continuous delivery pipeline that helps software development teams with automated workflows, continuous delivery, and built-in disaster recovery.

Vulnerability Details

The vulnerability exists in the dependency named ‘org.postgresql:postgresql’. In a low-complexity attack, an unauthenticated attacker can exploit the vulnerability without user interaction.

The maintainers have released an advisory for the CVE-2024-1597. As per the advisory, “SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code with a vulnerable SQL that negates a parameter value.”

When using the default query mode, the driver is not vulnerable. There is no effect on users who choose not to override the query mode.

Affected versions

  • from 9.5.0 to 9.5.1
  • from 9.4.0 to 9.4.3
  • from 9.3.0 to 9.3.6
  • from 9.2.0 to 9.2.11 (LTS)
  • from 9.1.0 to 9.1.3
  • from 9.0.0 to 9.0.4
  • from 8.2.0 to 8.2.9
  • Any earlier versions

Atlassian has mentioned in the advisory that “Bamboo & Other Atlassian Data Center products are unaffected by this vulnerability as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.”

Mitigation

Customers should update to the following fixed versions:

  • 9.6.0 (LTS) or 9.5.2 recommended Data Center Only
  • 9.4.4
  • 9.2.12 (LTS)

Qualys Detection

Qualys customers can scan their devices with QID 731284 to detect vulnerable assets.  

Continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References 
https://jira.atlassian.com/browse/BAM-25716
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
https://confluence.atlassian.com/security/security-bulletin-march-19-2024-1369444862.html

Leave a Reply

Your email address will not be published. Required fields are marked *